static int
config_tls_config(ConfigArgs *c) {
int i, flag;
- slap_verbmasks crlkeys[] = {
- { BER_BVC("none"), LDAP_OPT_X_TLS_CRL_NONE },
- { BER_BVC("peer"), LDAP_OPT_X_TLS_CRL_PEER },
- { BER_BVC("all"), LDAP_OPT_X_TLS_CRL_ALL },
- { BER_BVNULL, 0 }
- };
- slap_verbmasks vfykeys[] = {
- { BER_BVC("never"), LDAP_OPT_X_TLS_NEVER },
- { BER_BVC("demand"), LDAP_OPT_X_TLS_DEMAND },
- { BER_BVC("try"), LDAP_OPT_X_TLS_TRY },
- { BER_BVC("hard"), LDAP_OPT_X_TLS_HARD },
- { BER_BVNULL, 0 }
- }, *keys;
switch(c->type) {
- case CFG_TLS_CRLCHECK: flag = LDAP_OPT_X_TLS_CRLCHECK; keys = crlkeys; break;
- case CFG_TLS_VERIFY: flag = LDAP_OPT_X_TLS_REQUIRE_CERT; keys = vfykeys; break;
+ case CFG_TLS_CRLCHECK: flag = LDAP_OPT_X_TLS_CRLCHECK; break;
+ case CFG_TLS_VERIFY: flag = LDAP_OPT_X_TLS_REQUIRE_CERT; break;
default:
Debug(LDAP_DEBUG_ANY, "%s: "
"unknown tls_option <0x%x>\n",
return 1;
}
if (c->op == SLAP_CONFIG_EMIT) {
- ldap_pvt_tls_get_option( slap_tls_ld, flag, &c->value_int );
- for (i=0; !BER_BVISNULL(&keys[i].word); i++) {
- if (keys[i].mask == c->value_int) {
- c->value_string = ch_strdup( keys[i].word.bv_val );
- return 0;
- }
- }
- return 1;
+ return slap_tls_get_config( slap_tls_ld, flag, &c->value_string );
} else if ( c->op == LDAP_MOD_DELETE ) {
int i = 0;
return ldap_pvt_tls_set_option( slap_tls_ld, flag, &i );
{ BER_BVC("critical"), SB_TLS_CRITICAL },
{ BER_BVNULL, 0 }
};
+
+static slap_verbmasks crlkeys[] = {
+ { BER_BVC("none"), LDAP_OPT_X_TLS_CRL_NONE },
+ { BER_BVC("peer"), LDAP_OPT_X_TLS_CRL_PEER },
+ { BER_BVC("all"), LDAP_OPT_X_TLS_CRL_ALL },
+ { BER_BVNULL, 0 }
+ };
+
+static slap_verbmasks vfykeys[] = {
+ { BER_BVC("never"), LDAP_OPT_X_TLS_NEVER },
+ { BER_BVC("demand"), LDAP_OPT_X_TLS_DEMAND },
+ { BER_BVC("try"), LDAP_OPT_X_TLS_TRY },
+ { BER_BVC("hard"), LDAP_OPT_X_TLS_HARD },
+ { BER_BVNULL, 0 }
+ };
#endif
static slap_verbmasks methkey[] = {
return 0;
}
+int
+slap_tls_get_config( LDAP *ld, int opt, char **val )
+{
+ slap_verbmasks *keys;
+ int i, ival;
+
+ *val = NULL;
+ switch( opt ) {
+ case LDAP_OPT_X_TLS_CRLCHECK:
+ keys = crlkeys;
+ break;
+ case LDAP_OPT_X_TLS_REQUIRE_CERT:
+ keys = vfykeys;
+ break;
+ default:
+ return -1;
+ }
+ ldap_pvt_tls_get_option( ld, opt, &ival );
+ for (i=0; !BER_BVISNULL(&keys[i].word); i++) {
+ if (keys[i].mask == ival) {
+ *val = ch_strdup( keys[i].word.bv_val );
+ return 0;
+ }
+ }
+ return -1;
+}
+
int
bindconf_parse( const char *word, slap_bindconf *bc )
{
#endif
}
+void
+bindconf_tls_defaults( slap_bindconf *bc )
+{
+#ifdef HAVE_TLS
+ if ( bc->sb_tls_do_init ) {
+ if ( !bc->sb_tls_cacert )
+ ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CACERTFILE,
+ &bc->sb_tls_cacert );
+ if ( !bc->sb_tls_cacertdir )
+ ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CACERTDIR,
+ &bc->sb_tls_cacertdir );
+ if ( !bc->sb_tls_cert )
+ ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CERTFILE,
+ &bc->sb_tls_cert );
+ if ( !bc->sb_tls_key )
+ ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_KEYFILE,
+ &bc->sb_tls_key );
+ if ( !bc->sb_tls_cipher_suite )
+ ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CIPHER_SUITE,
+ &bc->sb_tls_cipher_suite );
+ if ( !bc->sb_tls_reqcert )
+ bc->sb_tls_reqcert = ch_strdup("demand");
+#ifdef HAVE_OPENSSL_CRL
+ if ( !bc->sb_tls_crlcheck )
+ slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
+ &bc->sb_tls_crlcheck );
+#endif
+ }
+#endif
+}
+
#ifdef HAVE_TLS
static struct {
const char *key;
LDAP_SLAPD_F (int) slap_verbmasks_destroy LDAP_P(( slap_verbmasks *v ));
LDAP_SLAPD_F (int) slap_verbmasks_append LDAP_P(( slap_verbmasks **vp,
slap_mask_t m, struct berval *v, slap_mask_t *ignore ));
+LDAP_SLAPD_F (int) slap_tls_get_config LDAP_P((
+ LDAP *ld, int opt, char **val ));
+LDAP_SLAPD_F (void) bindconf_tls_defaults LDAP_P(( slap_bindconf *bc ));
LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
const char *word, slap_bindconf *bc ));
LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
projects / openldap / commitdiff